Tim Butler timbutler

## gist:5bc681bd3ba1e3e99b7ab80c6723ec47
// DEBUG----------------------------------------------------------
for k, v := range c.Request.Header {
    log.Infof("Key: %s, Value: %s", k, v)
}

## quickaudit.ps1
Write-Host "Getting Login Events"
$Out = @()
$List = Get-EventLog Security -Computer localhost | Where-Object {$_.InstanceId -eq 4624}
ForEach($Entry in $List) {

    If($Entry.ReplacementStrings[18] -notcontains "-"){

    $Out += New-Object PSObject -Property @{
        InstanceID = $Entry.InstanceId
        User = $Entry.ReplacementStrings[5]

## gist:46e54e19efe19fea2faf
awk '{print $7}' access_log|cut -d? -f1|sort|uniq -c|sort -nk1|tail -n10

## fortigate50.pattern
FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}

FORTIGATE_LITEBASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

FORTIGATE_LITEBASE2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

# 185 - IPS
FORTIGATE_185 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? msg=\"%{GREEDYDAT

## postfix
# Postfix stuff based on https://gist.github.com/jbrownsc/4694374:

QUEUEID (?:[A-F0-9]+|NOQUEUE)
EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
POSREAL [0-9]+(.[0-9]+)?
DELAYS (%{POSREAL}[/]*)+
DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}
STATUS sent|deferred|bounced|expired

## fortigate52.pattern
FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}
FORTIGATE_52BASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"
FORTIGATE_52BASEV2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"
FORTIGATE_52IPS severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} sessionid=%{NUMBER:sessionid} action=%{DATA:action} proto=%{NUMBER:proto} service=%{DATA:service} attack="%{DATA:attack}" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} direction=%{NUMBER:direction} attackid=%{NUMBER:attackid} profile=\"%{DATA:profile}\" ref=\"%{DATA:ref}\";? incidentserialno=%{NUMBER:incidentserialno} msg=\"%{GREEDYDATA:msg}\"
FORTIGATE_52DOS severity=%{WORD:severity} s
	// DEBUG----------------------------------------------------------
	for k, v := range c.Request.Header {
	log.Infof("Key: %s, Value: %s", k, v)
	}
	Write-Host "Getting Login Events"
	$Out = @()
	$List = Get-EventLog Security -Computer localhost \| Where-Object {$_.InstanceId -eq 4624}
	ForEach($Entry in $List) {

	If($Entry.ReplacementStrings[18] -notcontains "-"){

	$Out += New-Object PSObject -Property @{
	InstanceID = $Entry.InstanceId
	User = $Entry.ReplacementStrings[5]
	FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}

	FORTIGATE_LITEBASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

	FORTIGATE_LITEBASE2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"

	# 185 - IPS
	FORTIGATE_185 severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} srcintf=\"%{HOST:srcintf}\" policyid=%{DATA:policyid} identidx=%{DATA:identidx} sessionid=%{NUMBER:sessionid} status=%{DATA:status} proto=%{NUMBER:proto} service=%{DATA:service} count=%{NUMBER:count} attackname=\"%{DATA:attackname}\" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} attackid=%{NUMBER:attackid} sensor=\"%{DATA:sensor}\" ref=\"%{DATA:ref}\";? msg=\"%{GREEDYDAT
	# Postfix stuff based on https://gist.github.com/jbrownsc/4694374:

	QUEUEID (?:[A-F0-9]+\|NOQUEUE)
	EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
	EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
	RELAY (?:%{HOSTNAME:relayhost}(?:\[%{IP:relayip}\](?::[0-9]+(.[0-9]+)?)?)?)
	POSREAL [0-9]+(.[0-9]+)?
	DELAYS (%{POSREAL}[/]*)+
	DSN %{NONNEGINT}.%{NONNEGINT}.%{NONNEGINT}
	STATUS sent\|deferred\|bounced\|expired
	FORTIDATE %{YEAR:year}\-%{MONTHNUM:month}\-%{MONTHDAY:day}
	FORTIGATE_52BASE <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"
	FORTIGATE_52BASEV2 <%{NUMBER:syslog_index}>date=%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}\"
	FORTIGATE_52IPS severity=%{WORD:severity} srcip=%{IP:srcip} dstip=%{IP:dstip} sessionid=%{NUMBER:sessionid} action=%{DATA:action} proto=%{NUMBER:proto} service=%{DATA:service} attack="%{DATA:attack}" srcport=%{NUMBER:srcport} dstport=%{NUMBER:dstport} direction=%{NUMBER:direction} attackid=%{NUMBER:attackid} profile=\"%{DATA:profile}\" ref=\"%{DATA:ref}\";? incidentserialno=%{NUMBER:incidentserialno} msg=\"%{GREEDYDATA:msg}\"
	FORTIGATE_52DOS severity=%{WORD:severity} s